An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12OGdxLTVncnEtOTcyOM4AAu1-
mozjpeg DecompressScanlines::read_scanlines is Unsound
This issue and vector is similar to RUSTSEC-2020-0029 of
rgb crate which
mozjpeg depends on.
Affected versions of
mozjpeg crate allow creating instances of any type
T from bytes,
and do not correctly constrain
T to the types for which it is safe to do so.
Examples of safety violation possible for a type
Tcontains a reference type, and it constructs a pointer to an invalid, arbitrary memory address.
Trequires a safety and/or validity invariant for its construction that may be violated.
The issue was fixed in 0.8.19 by using safer types and involving
rgb dependency bump.
Source: GitHub Advisory Database
Published: about 1 year ago
Updated: 11 months ago
Fixed in: 0.8.19